cyberwart

CYA Pen Test Style

mjw — Sat, 06 Dec 2008 04:11:26 +0000

Today I was sort of surprised that basic CYA steps I use for pen testing weren’t immediately obvious to others. Maybe I’m exceptionally paranoid and worry to much but I thought I’d share some thoughts on the CYA business end of things.

Always start with a signed contract and rules of engagement. Do nothing without having this document.
Always read the Statement of Work (SoW) and the Rules of Engagement (RoE). These define both what you have to do and what you can’t do.
Always keep your PoC happy. Everything is much easier if your contact is happy. Make sure you ask them up front what they hope to get out of the engagement and check in to see that you’re meeting the objectives.
For any variation in the RoE/Contract feel it out verbally with the PoC first. If all is well, follow up with an email confirming what you heard and CC the project management. (good pen testers sometimes cheat, but this is how things should be done…)
Check with your management that your variations are cool. Sometimes actions are too risky for them and sometimes they don’t want to do free labor. This item really depends on your management.
If you put any tools or accounts on boxes notate it all in a spreadsheet as you do it. Track state, install, md5, uninstall — always uninstall/remove anything you create.

Computational Modeling

mjw — Sat, 06 Dec 2008 03:56:57 +0000

For the most part, I’ve avoided general ranting on my blog. However tonight I feel compelled. First, hearing Amherst people rant about politics is hilarious. Foremost, being from DC I hear strong arguments about the difficulties of executing effective public policy. There are idealist, but their grounded in realities. For example, I’m hugely liberal and I think issues such as homlessness should be fought. The difficulty is that as aid goes up, people are more inclined to rely on the safety net and the problem compounds. Here they seem to ignore such realities.

The thing that really suprises me is that they only theorize the systems. I’m probably overly inclined to build models and I’m fully aware of their flaws, but I can’t imagine a simulation would be worse of than pure brain power. Maybe I should go build one for the fun of it. I actually think it would be kind of interesting. I could roughly model a town or something with people, topology, income, political drive, etc. Add some randomness and see how things (d)evolve. Economic and political theory are amusing enough. I bet it could keep my attention long enough to build…now if only I didn’t have 10 other projects.

Pen Testing on a Mac

mjw — Tue, 18 Nov 2008 02:44:06 +0000

Adam talked me into buying a Macbook. It’s not overly hard to talk me into buying technology so lets not give him too much credit. Really, all I needed was a laptop that could do basic Internet type stuff and run VMware. As you may have read earlier, we were swamped with scanning so I had to push two boxes to be scanning machines, which left me with limited ability to do real work or to stay up on business stuff like email.

So my experience so far: Everyone knows Macs are pretty. They’re light and have small sleek form factor. The display is lovely. They keyboard is spacious and easy to use. The touchpad took a bit to get use to, but overall I’m not happy with it. It’s multi-touch capable and overall a nifty tool once you learn how to use it.

Software is actually good. Vmware Fusion is nicer and more responsive than either VMware Workstation or Server. Graphics run far faster and it’s a nicer experience. Additionally, you can use “Unity” and run Windows software on the Mac desktop. The only thing that really irks me is that there isn’t a Vmware-server-console or a Firefox/Safari plugin to access VMware server easily. So access is through a contrived VM in a VM type thing or over X11. It’s ugly, but it’s been fairly successful.

Port is my friend. It installs basically everything you might want. It has some quirks, but being a Gentoo guy I’m use to a certain amount of pain when moving to a new OS. Port builds from source and usually works — once you learn a few tricks. I have Wireshark, libpcap, libnet, scapy, python, CANVAS, metasploit, kismet, nmap, and hping working. Nessus has an install for Mac.

My Verizon Mobile Card works fine

MS Office is fine. It looks a little different but it’s Office.

Hardware is blazing. I have 4 gigs of Ram. A 250 gb hard drive and a 2.4Ghz Core duo.

Overall, I think it’s a very positive experience and I’d recommend it if you have a bit of tim to invest in getting familiar with the OS and getting the tools that you need onto the box.

Long Live Non-MS Bugs

mjw — Sun, 16 Nov 2008 20:26:16 +0000

Everyone loves to beat up on Microsoft. Hell, I do… sorry Carric. But Microsoft is slowly getting it’s software in order and organizations are learning to patch it very quickly. Personally, love doing exploit development on small custom software. But in a recent case, I saw a larger software package with a known bug but no exploit.

In particular, I’m talking about the command execution vuln released in October for BrightStor ARCServe. BID 31684.

To actually exploit the bug use Nessus/Nasl

Find the file: arcserve_command_exec.nasl

Copy it somewhere and edit. Change the following:

Ditch the requirements. Comment out
#script_require_keys(”Host/OS/smb”)
#script_require_ports (6504);
Manually set the hostname
host = kb_smb_name(); to host = “hostname”; Note, and IP won’t work
Change the cmd
cmd = “ifconfig”; to whatever you want
Change the output to use the display() function so you can see what happens
Run the NASL
nasl -t target_ip_or_hostname yournasl.nasl

Yes, this is a bit clunky, but it’s a fairly quick way to execute arbitrary commands on the remote system. RPC (IMO) is difficult and I’d rather not deal with it if some else already has.

The Sorry State of Vuln Scanners

mjw — Sun, 16 Nov 2008 20:16:26 +0000

I’ve decided that I truly HATE most vulnerability scanners. Generally I don’t trust the things, but they’ve always done a fair job of giving me a checkbox for patches and by providing a little guidance on how to attack a network. Well recently we’re had to scan multiple class B networks both internally and externally. It’s been brutal. Nothing finishes, results vary. It sucks hardcore.

I’ve noticed a few things. First, it’s almost impossible to by vuln scanning software these days. Everyone wants to sell an appliance .As a consultant that doesn’t really work for me. I need to take the software with me on a laptop into a client site. An appliance makes the software basically useless.

So our Qualys box is out of the mix. Next we moved onto Nessus. Who doesn’t love Nessus? It’s not flashy but it gets the job done… right? Well no. It crashed. Over and over. It wouldn’t save state and if it crashed you had to restart.

Fuck.

Sure you say, do small bunches at once. Well this shouldn’t matter. It irked me that Nessus didn’t do the host management/scanning properly itself. Manually manging it is nuts. But worse, If you break scans into small bunches, you then have to merge all the results at the end.

Next I tried an old FS image. Well that can pause scans and resume them after a crash, but it’s had previous known issues. Further, it won’t finish. It’s hung at 99% done for days. I’ve checked and it’s still running scans and producing results but 99% for days.

I find it sad that a team of pen testers, some previously software developers, and all experienced with the tools can’t get them to work effectively.

Kiosk Fun

mjw — Sun, 16 Nov 2008 20:06:05 +0000

As most of my friends know, I have a tendency to run late. Well I was running late the other day holding up my friend, Adam Pridgen. He was patiently waiting for me in the hotel lobby and started playing with the kiosk. I beleive the particular software is kiosksafe. I had ran into it before and knew that it did a fair job. The software not only remaps/intercepts kep strokes but it also appears to run some sort of rootkit. When a particular API is called — or possibly a window has a certain name, the software locks the site down. It’s most unfortunate.

I threw iKat at it for fun. I saw iKat at defcon and always wanted to give it a try. It did a fair job of crashing the hell out of the Kiosk but it gave me fairly limited results.

Everyone knows the typical file-menu type hacks trying to find something that opens up the system in a somewhat clever manner. Those didn’t work, but Office had potential. So I decided to play. In the end, I got a fair amount of access with a Word doc.

First, change the default configuration paths for Word. This just makes sure Word opens up with high level access. I generally set it to C:\

The below screenshots show most of the process

Double click the icon and hopefully it works for you. cmd.exe sometimes has issues but IE, Windows Media Player, etc work a little better

Sample word doc provided shortly.

Teaching at a University

mjw — Sun, 16 Nov 2008 19:48:24 +0000

I had the opportunity to teach class at a University last week. It was an interesting experience. A friend of mine, Adam Pridgen, co lectured with me. The class was a senior level seminar type class on computer security. I wasn’t sure exactly what to expect going into the class, but I had done a previous intro to penetration testing so I updated that and went in.
The class started with an intro presentation by one of the students. It appears the students update the class with a somewhat recent security topic. In this case, it was a 5 minute overview of the uTorrent overflow. I was immediately nervous as I only had 10-15% of my slides at the in-depth exploitation/fuzzing level. I was worried that I would bore the class or not be able to speak with enough knowledge of particular exploits straight from memory. After the student got past the first slide or two, there were some contradictions and inaccuracies. The students didn’t jump on it so I figured I wasn’t in too much trouble.

Shortly there after, Adam and I were introduced and we went into our thing. We talked about some of the common mistakes that really enable attackers to compromise networks. We discussed some of the tools and techniques we used – giving examples of situations where we had used them. Unfortunately, I don’t think they really connected. The professor got into it, but not the students. Between a couple non-public bugs/attacks and the story of the power company CEO ignoring the out-briefing until I showed a screenshot of his email – I thought we were golden. But I guess such is the state of computer security education right now.